As the U.S. Department of Defense increasingly worries about damage that could result from a massive cyberattack, national security leaders are debating the best strategy to prevent such incursions. Should they adopt a philosophy that aims to stop an attack of any kind or should they try to dissuade enemies from specifically pursuing a cyberattack?

Hoover Institution fellows Amy Zegart and Herb Lin discusses their recent book Bytes, Bombs, and Spies: The Strategic Dimensions of Offensive Cyber Operations.

Today, Lawfare published an article by Alexei Bulazel, Sophia d’Antoine, Perri Adams and Dave Aitel on “The Risks of Huawei Risk Mitigation” that seemingly disagrees with an earlier piece of mine on the topic. But apart from a bit of snark about my use of the confidentiality-integrity-availability (CIA) triad as a pillar of the security discussion and the definition of risk mitigation, I don’t disagree with anything in their piece and endorse almost all of it.

While Congress has been holding hearings, poking tech execs, and dancing the legislative Fandango, the marketplace has imposed actual sanctions. Between the time Facebook’s Cambridge Analytica scandal was revealed, March of last year, and March of this year, shareholders lost more than $61.6 billion adjusted for overall market (NASDAQ) fluctuations. In contrast, Sen. Wyden’s 4 percent fine—even if applied to global sales, and instantly—would whack just $2.2 billion from the Facebook moguls.